24 November 2009

The US cares for data protection

IMG_1458photo © 2011 John Taylor | more info (via: Wylio)


Well, I agree the title of this post reads somewhat provocative. Nevertheless, it is driven by the criticism that European data protection practitioners usually express towards their US colleagues’ approach when dealing with privacy and protection of personal data.

This should not surprise as the right to privacy is a highly developed area of law in Europe. Accordingly, the European Union has long had a privacy framework for the processing of personal information that is different – and more restrictive — than privacy practices in the US. By contrast, the United States prefers what is called a “sectoral” approach to data protection legislation, relying on a combination of legislation, regulation, and self-regulation, rather than overarching governmental regulations (see “A Framework for Global Electronic Commerce“. To date, the US has no single, overarching privacy law comparable to the EU Directive.

The EU Data Protection Directive requires EU member states to provide for legislation that prohibits the transfer of personal data outside the EU. However, there are some exemptions from that rule, one of which applies where the EU has determined that the laws of the country of destination provide “adequate” protection for personal data. Among others, Switzerland and Argentina were determined to be such countries. In the late 1990s, the EU determined that the laws of the United States did not meet its adequacy standard.

However and in order not to totally prohibit the personal data transfer between the largest economies, the US Department of Commerce in consultation with the European Commission developed the “Safe Harbor Arrangement”. As a consequence, US companies that are under the jurisdiction of the Federal Trade Commission or the US Department of Transportation may enrol to that arrangement and process personal data submitted by European partners (subsidiaries) of theirs.

A company under the FTC’s jurisdiction that self-certifies its compliance with the Safe Harbor Arrangement, but fails to observe them may be subject to an enforcement action under Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices.

After a decade without any enforcement actions, the FTC recently proceeded against seven companies and obtained consent orders against them.

While these actions by the FTC are said not to represent substantive enforcement within the Safe Harbor Arrangement, they do signify that companies need to be even more vigilant about the content of their privacy policies and marketing assertions.

Leave a Reply

CommentLuv badge